Vulnerabilities in RunKeeper website could allow hackers to run XSS worm

A security researcher David Sopas has discovered a Cross site scripting and Cross Site Request Forgery(CSRF) vulnerabilities in the RunKeeper website, official site of popular GPS fitness-tracking application.

The POST request in the "Account Setting" page failed to use security token to validate the request results in CSRF vulnerability. It could allowed cybercriminals to modify information of an authenticated user by tricking them into clicking a crafted link that will send a malicious request.

The Persistent XSS vulnerability on user Account Settings and on the profile page poses a potential security risk. The cybercriminals could have launched a malicious cyber attack and infect millions of users.

Creating Hybrid attack that take advantage of XSS and CSRF vulnerabilities results in hijacking user profile. Hackers also could have modified POC little bit and run an XSS worm.

Runkeeper fixed these security issues immediately after got a notification from Sopas.